Before I go on, I have tried to look through the interwebs for an answer, I scoured the forums posts so much I feel I know the elk staff member names by heart (not really).
I do apologise if my insufficient research skills have failed me and I am now creating a duplicate post.
I have two configs in logstash: dev.conf, prod.conf
dev.conf:
input {
beats {
port => 28777
codec=>"json"
}
}
filter {
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
}
output {
elasticsearch {
index => "dev-log-index-1"
hosts => ["localhost:9200"]
}
}
prod.conf:
input {
beats {
port => 28000
codec=>"json"
ssl => true
ssl_certificate => "/etc/logstash/logstash.crt"
ssl_key => "/etc/logstash/logstash.key"
ssl_verify_mode => "force_peer"
ssl_certificate_authorities => ["/etc/logstash/ca.crt"]
}
}
filter {
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
}
output {
elasticsearch {
index => "prod-log-index-1"
hosts => ["localhost:9200"]
}
}`
I chose to separate the logs for different environments as such, although I find entries from dev-log-index-1 being attached to prod-log-index-1 and vice versa. As a result I am not able to see prod only or dev only logs under the corresponding kibana index pattern, even though these configs specify separate input ports and indexes.